diff options
author | Simo Sorce <idra@samba.org> | 2002-10-06 23:53:34 +0000 |
---|---|---|
committer | Simo Sorce <idra@samba.org> | 2002-10-06 23:53:34 +0000 |
commit | 650e0274a1ea98a953b2e6f44e7e8e880d418565 (patch) | |
tree | 0609f985d0cf4b44c5f9012ffaedc5977c0c2ce8 | |
parent | 76d111aed1dc6457e98ef4193a44360c8ae769bc (diff) | |
download | samba-650e0274a1ea98a953b2e6f44e7e8e880d418565.tar.gz samba-650e0274a1ea98a953b2e6f44e7e8e880d418565.tar.bz2 samba-650e0274a1ea98a953b2e6f44e7e8e880d418565.zip |
try to put every security descriptors related definitions in the same file.
also try to uniform names to a clean scheme.
first part.
(This used to be commit a123e05877caf90c28980be2d84b1d0b46e4fd21)
-rw-r--r-- | source3/include/rpc_samr.h | 166 | ||||
-rw-r--r-- | source3/include/rpc_secdes.h | 247 | ||||
-rw-r--r-- | source3/include/smb.h | 11 | ||||
-rw-r--r-- | source3/lib/util_seaccess.c | 4 | ||||
-rw-r--r-- | source3/lib/util_sid.c | 40 | ||||
-rw-r--r-- | source3/rpc_server/srv_reg_nt.c | 1 | ||||
-rw-r--r-- | source3/rpc_server/srv_samr.c | 1 | ||||
-rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 88 | ||||
-rw-r--r-- | source3/sam/interface.c | 4 | ||||
-rw-r--r-- | source3/utils/net_rpc.c | 4 |
10 files changed, 327 insertions, 239 deletions
diff --git a/source3/include/rpc_samr.h b/source3/include/rpc_samr.h index 6b537715b8..e1fa9c06bc 100644 --- a/source3/include/rpc_samr.h +++ b/source3/include/rpc_samr.h @@ -147,172 +147,6 @@ SamrTestPrivateFunctionsUser #define SAMR_SET_USERINFO 0x3A #define SAMR_CONNECT4 0x3E -/* Access bits to the SAM-object */ - -#define SAMR_ACCESS_UNKNOWN_1 0x00000001 -#define SAMR_ACCESS_SHUTDOWN_SERVER 0x00000002 -#define SAMR_ACCESS_UNKNOWN_4 0x00000004 -#define SAMR_ACCESS_UNKNOWN_8 0x00000008 -#define SAMR_ACCESS_ENUM_DOMAINS 0x00000010 -#define SAMR_ACCESS_OPEN_DOMAIN 0x00000020 - -#define SAMR_ALL_ACCESS ( STANDARD_RIGHTS_REQUIRED_ACCESS | \ - SAMR_ACCESS_OPEN_DOMAIN | \ - SAMR_ACCESS_ENUM_DOMAINS | \ - SAMR_ACCESS_UNKNOWN_8 | \ - SAMR_ACCESS_UNKNOWN_4 | \ - SAMR_ACCESS_SHUTDOWN_SERVER | \ - SAMR_ACCESS_UNKNOWN_1 ) - -#define SAMR_READ ( STANDARD_RIGHTS_READ_ACCESS | \ - SAMR_ACCESS_ENUM_DOMAINS ) - -#define SAMR_WRITE ( STANDARD_RIGHTS_WRITE_ACCESS | \ - SAMR_ACCESS_UNKNOWN_8 | \ - SAMR_ACCESS_UNKNOWN_4 | \ - SAMR_ACCESS_SHUTDOWN_SERVER ) - -#define SAMR_EXECUTE ( STANDARD_RIGHTS_EXECUTE_ACCESS | \ - SAMR_ACCESS_OPEN_DOMAIN | \ - SAMR_ACCESS_UNKNOWN_1 ) - -/* Access bits to Domain-objects */ - -#define DOMAIN_ACCESS_LOOKUP_INFO_1 0x000000001 -#define DOMAIN_ACCESS_SET_INFO_1 0x000000002 -#define DOMAIN_ACCESS_LOOKUP_INFO_2 0x000000004 -#define DOMAIN_ACCESS_SET_INFO_2 0x000000008 -#define DOMAIN_ACCESS_CREATE_USER 0x000000010 -#define DOMAIN_ACCESS_CREATE_GROUP 0x000000020 -#define DOMAIN_ACCESS_CREATE_ALIAS 0x000000040 -#define DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM 0x000000080 -#define DOMAIN_ACCESS_ENUM_ACCOUNTS 0x000000100 -#define DOMAIN_ACCESS_OPEN_ACCOUNT 0x000000200 -#define DOMAIN_ACCESS_SET_INFO_3 0x000000400 - -#define DOMAIN_ALL_ACCESS ( STANDARD_RIGHTS_REQUIRED_ACCESS | \ - DOMAIN_ACCESS_SET_INFO_3 | \ - DOMAIN_ACCESS_OPEN_ACCOUNT | \ - DOMAIN_ACCESS_ENUM_ACCOUNTS | \ - DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM | \ - DOMAIN_ACCESS_CREATE_ALIAS | \ - DOMAIN_ACCESS_CREATE_GROUP | \ - DOMAIN_ACCESS_CREATE_USER | \ - DOMAIN_ACCESS_SET_INFO_2 | \ - DOMAIN_ACCESS_LOOKUP_INFO_2 | \ - DOMAIN_ACCESS_SET_INFO_1 | \ - DOMAIN_ACCESS_LOOKUP_INFO_1 ) - -#define DOMAIN_READ ( STANDARD_RIGHTS_READ_ACCESS | \ - DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM | \ - DOMAIN_ACCESS_LOOKUP_INFO_2 ) - -#define DOMAIN_WRITE ( STANDARD_RIGHTS_WRITE_ACCESS | \ - DOMAIN_ACCESS_SET_INFO_3 | \ - DOMAIN_ACCESS_CREATE_ALIAS | \ - DOMAIN_ACCESS_CREATE_GROUP | \ - DOMAIN_ACCESS_CREATE_USER | \ - DOMAIN_ACCESS_SET_INFO_2 | \ - DOMAIN_ACCESS_SET_INFO_1 ) - -#define DOMAIN_EXECUTE ( STANDARD_RIGHTS_EXECUTE_ACCESS | \ - DOMAIN_ACCESS_OPEN_ACCOUNT | \ - DOMAIN_ACCESS_ENUM_ACCOUNTS | \ - DOMAIN_ACCESS_LOOKUP_INFO_1 ) - -/* Access bits to User-objects */ - -#define USER_ACCESS_GET_NAME_ETC 0x00000001 -#define USER_ACCESS_GET_LOCALE 0x00000002 -#define USER_ACCESS_SET_LOC_COM 0x00000004 -#define USER_ACCESS_GET_LOGONINFO 0x00000008 -#define USER_ACCESS_UNKNOWN_10 0x00000010 -#define USER_ACCESS_SET_ATTRIBUTES 0x00000020 -#define USER_ACCESS_CHANGE_PASSWORD 0x00000040 -#define USER_ACCESS_SET_PASSWORD 0x00000080 -#define USER_ACCESS_GET_GROUPS 0x00000100 -#define USER_ACCESS_UNKNOWN_200 0x00000200 -#define USER_ACCESS_UNKNOWN_400 0x00000400 - -#define USER_ALL_ACCESS ( STANDARD_RIGHTS_REQUIRED_ACCESS | \ - USER_ACCESS_UNKNOWN_400 | \ - USER_ACCESS_UNKNOWN_200 | \ - USER_ACCESS_GET_GROUPS | \ - USER_ACCESS_SET_PASSWORD | \ - USER_ACCESS_CHANGE_PASSWORD | \ - USER_ACCESS_SET_ATTRIBUTES | \ - USER_ACCESS_UNKNOWN_10 | \ - USER_ACCESS_GET_LOGONINFO | \ - USER_ACCESS_SET_LOC_COM | \ - USER_ACCESS_GET_LOCALE | \ - USER_ACCESS_GET_NAME_ETC ) - -#define USER_READ ( STANDARD_RIGHTS_READ_ACCESS | \ - USER_ACCESS_UNKNOWN_200 | \ - USER_ACCESS_GET_GROUPS | \ - USER_ACCESS_UNKNOWN_10 | \ - USER_ACCESS_GET_LOGONINFO | \ - USER_ACCESS_GET_LOCALE ) - -#define USER_WRITE ( STANDARD_RIGHTS_WRITE_ACCESS | \ - USER_ACCESS_CHANGE_PASSWORD | \ - USER_ACCESS_SET_LOC_COM ) - -#define USER_EXECUTE ( STANDARD_RIGHTS_EXECUTE_ACCESS | \ - USER_ACCESS_CHANGE_PASSWORD | \ - USER_ACCESS_GET_NAME_ETC ) - -/* Access bits to Group-objects */ - -#define GROUP_ACCESS_LOOKUP_INFO 0x00000001 -#define GROUP_ACCESS_SET_INFO 0x00000002 -#define GROUP_ACCESS_ADD_MEMBER 0x00000004 -#define GROUP_ACCESS_REMOVE_MEMBER 0x00000008 -#define GROUP_ACCESS_GET_MEMBERS 0x00000010 - -#define GROUP_ALL_ACCESS ( STANDARD_RIGHTS_REQUIRED_ACCESS | \ - GROUP_ACCESS_GET_MEMBERS | \ - GROUP_ACCESS_REMOVE_MEMBER | \ - GROUP_ACCESS_ADD_MEMBER | \ - GROUP_ACCESS_SET_INFO | \ - GROUP_ACCESS_LOOKUP_INFO ) - -#define GROUP_READ ( STANDARD_RIGHTS_READ_ACCESS | \ - GROUP_ACCESS_GET_MEMBERS ) - -#define GROUP_WRITE ( STANDARD_RIGHTS_WRITE_ACCESS | \ - GROUP_ACCESS_REMOVE_MEMBER | \ - GROUP_ACCESS_ADD_MEMBER | \ - GROUP_ACCESS_SET_INFO ) - -#define GROUP_EXECUTE ( STANDARD_RIGHTS_EXECUTE_ACCESS | \ - GROUP_ACCESS_LOOKUP_INFO ) - -/* Access bits to Alias-objects */ - -#define ALIAS_ACCESS_ADD_MEMBER 0x00000001 -#define ALIAS_ACCESS_REMOVE_MEMBER 0x00000002 -#define ALIAS_ACCESS_GET_MEMBERS 0x00000004 -#define ALIAS_ACCESS_LOOKUP_INFO 0x00000008 -#define ALIAS_ACCESS_SET_INFO 0x00000010 - -#define ALIAS_ALL_ACCESS ( STANDARD_RIGHTS_REQUIRED_ACCESS | \ - ALIAS_ACCESS_GET_MEMBERS | \ - ALIAS_ACCESS_REMOVE_MEMBER | \ - ALIAS_ACCESS_ADD_MEMBER | \ - ALIAS_ACCESS_SET_INFO | \ - ALIAS_ACCESS_LOOKUP_INFO ) - -#define ALIAS_READ ( STANDARD_RIGHTS_READ_ACCESS | \ - ALIAS_ACCESS_GET_MEMBERS ) - -#define ALIAS_WRITE ( STANDARD_RIGHTS_WRITE_ACCESS | \ - ALIAS_ACCESS_REMOVE_MEMBER | \ - ALIAS_ACCESS_ADD_MEMBER | \ - ALIAS_ACCESS_SET_INFO ) - -#define ALIAS_EXECUTE ( STANDARD_RIGHTS_EXECUTE_ACCESS | \ - ALIAS_ACCESS_LOOKUP_INFO ) typedef struct _DISP_USER_INFO { SAM_ACCOUNT *sam; diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h index e51a5fd2f8..1bb25e8651 100644 --- a/source3/include/rpc_secdes.h +++ b/source3/include/rpc_secdes.h @@ -31,6 +31,7 @@ #define SEC_RIGHTS_READ 0x00020019 #define SEC_RIGHTS_FULL_CONTROL 0x000f003f #define SEC_RIGHTS_MAXIMUM_ALLOWED 0x02000000 + /* for ADS */ #define SEC_RIGHTS_LIST_CONTENTS 0x4 #define SEC_RIGHTS_LIST_OBJECT 0x80 @@ -211,4 +212,250 @@ typedef struct standard_mapping { uint32 std_all; } STANDARD_MAPPING; + +/* Security Access Masks Rights */ + +#define SPECIFIC_RIGHTS_MASK 0x0000FFFF +#define STANDARD_RIGHTS_MASK 0x00FF0000 +#define GENERIC_RIGHTS_MASK 0xF0000000 + +#define SEC_RIGHT_SYSTEM_SECURITY 0x01000000 +#define SEC_RIGHT_MAXIMUM_ALLOWED 0x02000000 + +/* Generic access rights */ + +#define GENERIC_RIGHT_ALL_ACCESS 0x10000000 +#define GENERIC_RIGHT_EXECUTE_ACCESS 0x20000000 +#define GENERIC_RIGHT_WRITE_ACCESS 0x40000000 +#define GENERIC_RIGHT_READ_ACCESS 0x80000000 + +/* Standard access rights. */ + +#define STD_RIGHT_DELETE_ACCESS 0x00010000 +#define STD_RIGHT_READ_CONTROL_ACCESS 0x00020000 +#define STD_RIGHT_WRITE_DAC_ACCESS 0x00040000 +#define STD_RIGHT_WRITE_OWNER_ACCESS 0x00080000 +#define STD_RIGHT_SYNCHRONIZE_ACCESS 0x00100000 + +#define STD_RIGHT_ALL_ACCESS 0x001F0000 + +/* Combinations of standard masks. */ +#define STANDARD_RIGHTS_ALL_ACCESS STD_RIGHT_ALL_ACCESS /* 0x001f0000 */ +#define STANDARD_RIGHTS_EXECUTE_ACCESS STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */ +#define STANDARD_RIGHTS_READ_ACCESS STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */ +#define STANDARD_RIGHTS_WRITE_ACCESS STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */ +#define STANDARD_RIGHTS_REQUIRED_ACCESS \ + (STD_RIGHT_DELETE_ACCESS | \ + STD_RIGHT_READ_CONTROL_ACCESS | \ + STD_RIGHT_WRITE_DAC_ACCESS | \ + STD_RIGHT_WRITE_OWNER_ACCESS) /* 0x000f0000 */ + +/* File Object specific access rights */ + +#define SA_RIGHT_FILE_READ_DATA 0x00000001 +#define SA_RIGHT_FILE_WRITE_DATA 0x00000002 +#define SA_RIGHT_FILE_APPEND_DATA 0x00000004 +#define SA_RIGHT_FILE_READ_EA 0x00000008 +#define SA_RIGHT_FILE_WRITE_EA 0x00000010 +#define SA_RIGHT_FILE_EXECUTE 0x00000020 +#define SA_RIGHT_FILE_DELETE_CHILD 0x00000040 +#define SA_RIGHT_FILE_READ_ATTRIBUTES 0x00000080 +#define SA_RIGHT_FILE_WRITE_ATTRIBUTES 0x00000100 + +#define SA_RIGHT_FILE_ALL_ACCESS 0x000001FF + +#define GENERIC_RIGHTS_FILE_ALL_ACCESS \ + (STANDARD_RIGHTS_REQUIRED_ACCESS| \ + STD_RIGHT_SYNCHRONIZE_ACCESS | \ + SA_RIGHT_FILE_ALL_ACCESS) + +#define GENERIC_RIGHTS_FILE_READ \ + (STANDARD_RIGHTS_READ_ACCESS | \ + STD_RIGHT_SYNCHRONIZE_ACCESS | \ + SA_RIGHT_FILE_READ_DATA | \ + SA_RIGHT_FILE_READ_ATTRIBUTES | \ + SA_RIGHT_FILE_READ_EA) + +#define GENERIC_RIGHTS_FILE_WRITE \ + (STANDARD_RIGHTS_WRITE_ACCESS | \ + STD_RIGHT_SYNCHRONIZE_ACCESS | \ + SA_RIGHT_FILE_WRITE_DATA | \ + SA_RIGHT_FILE_WRITE_ATTRIBUTES | \ + SA_RIGHT_FILE_WRITE_EA | \ + SA_RIGHT_FILE_APPEND_DATA) + +#define GENERIC_RIGHTS_FILE_EXECUTE \ + (STANDARD_RIGHTS_EXECUTE_ACCESS | \ + SA_RIGHT_FILE_READ_ATTRIBUTES | \ + SA_RIGHT_FILE_EXECUTE) + + +/* SAM Object specific access rights */ + +#define SA_RIGHT_SAM_UNKNOWN_1 0x00000001 +#define SA_RIGHT_SAM_SHUTDOWN_SERVER 0x00000002 +#define SA_RIGHT_SAM_UNKNOWN_4 0x00000004 +#define SA_RIGHT_SAM_UNKNOWN_8 0x00000008 +#define SA_RIGHT_SAM_ENUM_DOMAINS 0x00000010 +#define SA_RIGHT_SAM_OPEN_DOMAIN 0x00000020 + +#define SA_RIGHT_SAM_ALL_ACCESS 0x0000003F + +#define GENERIC_RIGHTS_SAM_ALL_ACCESS \ + (STANDARD_RIGHTS_REQUIRED_ACCESS| \ + SA_RIGHT_SAM_ALL_ACCESS) + +#define GENERIC_RIGHTS_SAM_READ \ + (STANDARD_RIGHTS_READ_ACCESS | \ + SA_RIGHT_SAM_ENUM_DOMAINS) + +#define GENERIC_RIGHTS_SAM_WRITE \ + (STANDARD_RIGHTS_WRITE_ACCESS | \ + SA_RIGHT_SAM_UNKNOWN_8 | \ + SA_RIGHT_SAM_UNKNOWN_4 | \ + SA_RIGHT_SAM_SHUTDOWN_SERVER) + +#define GENERIC_RIGHTS_SAM_EXECUTE \ + (STANDARD_RIGHTS_EXECUTE_ACCESS | \ + SA_RIGHT_SAM_OPEN_DOMAIN | \ + SA_RIGHT_SAM_UNKNOWN_1) + + +/* Domain Object specific access rights */ + +#define SA_RIGHT_DOMAIN_LOOKUP_INFO_1 0x00000001 +#define SA_RIGHT_DOMAIN_SET_INFO_1 0x00000002 +#define SA_RIGHT_DOMAIN_LOOKUP_INFO_2 0x00000004 +#define SA_RIGHT_DOMAIN_SET_INFO_2 0x00000008 +#define SA_RIGHT_DOMAIN_CREATE_USER 0x00000010 +#define SA_RIGHT_DOMAIN_CREATE_GROUP 0x00000020 +#define SA_RIGHT_DOMAIN_CREATE_ALIAS 0x00000040 +#define SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM 0x00000080 +#define SA_RIGHT_DOMAIN_ENUM_ACCOUNTS 0x00000100 +#define SA_RIGHT_DOMAIN_OPEN_ACCOUNT 0x00000200 +#define SA_RIGHT_DOMAIN_SET_INFO_3 0x00000400 + +#define SA_RIGHT_DOMAIN_ALL_ACCESS 0x000007FF + +#define GENERIC_RIGHTS_DOMAIN_ALL_ACCESS \ + (STANDARD_RIGHTS_REQUIRED_ACCESS| \ + SA_RIGHT_DOMAIN_ALL_ACCESS) + +#define GENERIC_RIGHTS_DOMAIN_READ \ + (STANDARD_RIGHTS_READ_ACCESS | \ + SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM | \ + SA_RIGHT_DOMAIN_LOOKUP_INFO_2) + +#define GENERIC_RIGHTS_DOMAIN_WRITE \ + (STANDARD_RIGHTS_WRITE_ACCESS | \ + SA_RIGHT_DOMAIN_SET_INFO_3 | \ + SA_RIGHT_DOMAIN_CREATE_ALIAS | \ + SA_RIGHT_DOMAIN_CREATE_GROUP | \ + SA_RIGHT_DOMAIN_CREATE_USER | \ + SA_RIGHT_DOMAIN_SET_INFO_2 | \ + SA_RIGHT_DOMAIN_SET_INFO_1) + +#define GENERIC_RIGHTS_DOMAIN_EXECUTE \ + (STANDARD_RIGHTS_EXECUTE_ACCESS | \ + SA_RIGHT_DOMAIN_OPEN_ACCOUNT | \ + SA_RIGHT_DOMAIN_ENUM_ACCOUNTS | \ + SA_RIGHT_DOMAIN_LOOKUP_INFO_1) + + +/* User Object specific access rights */ + +#define SA_RIGHT_USER_GET_NAME_ETC 0x00000001 +#define SA_RIGHT_USER_GET_LOCALE 0x00000002 +#define SA_RIGHT_USER_SET_LOC_COM 0x00000004 +#define SA_RIGHT_USER_GET_LOGONINFO 0x00000008 +#define SA_RIGHT_USER_ACCT_FLAGS_EXPIRY 0x00000010 +#define SA_RIGHT_USER_SET_ATTRIBUTES 0x00000020 +#define SA_RIGHT_USER_CHANGE_PASSWORD 0x00000040 +#define SA_RIGHT_USER_SET_PASSWORD 0x00000080 +#define SA_RIGHT_USER_GET_GROUPS 0x00000100 +#define SA_RIGHT_USER_UNKNOWN_200 0x00000200 +#define SA_RIGHT_USER_UNKNOWN_400 0x00000400 + +#define SA_RIGHT_USER_ALL_ACCESS 0x000007FF + +#define GENERIC_RIGHTS_USER_ALL_ACCESS \ + (STANDARD_RIGHTS_REQUIRED_ACCESS| \ + SA_RIGHT_USER_ALL_ACCESS) /* 0x000f07ff */ + +#define GENERIC_RIGHTS_USER_READ \ + (STANDARD_RIGHTS_READ_ACCESS | \ + SA_RIGHT_USER_UNKNOWN_200 | \ + SA_RIGHT_USER_GET_GROUPS | \ + SA_RIGHT_USER_ACCT_FLAGS_EXPIRY | \ + SA_RIGHT_USER_GET_LOGONINFO | \ + SA_RIGHT_USER_GET_LOCALE) /* 0x0002031a */ + +#define GENERIC_RIGHTS_USER_WRITE \ + (STANDARD_RIGHTS_WRITE_ACCESS | \ + SA_RIGHT_USER_CHANGE_PASSWORD | \ + SA_RIGHT_USER_SET_LOC_COM) /* 0x00020044 */ + +#define GENERIC_RIGHTS_USER_EXECUTE \ + (STANDARD_RIGHTS_EXECUTE_ACCESS | \ + SA_RIGHT_USER_CHANGE_PASSWORD | \ + SA_RIGHT_USER_GET_NAME_ETC ) /* 0x00020041 */ + + +/* Group Object specific access rights */ + +#define SA_RIGHT_GROUP_LOOKUP_INFO 0x00000001 +#define SA_RIGHT_GROUP_SET_INFO 0x00000002 +#define SA_RIGHT_GROUP_ADD_MEMBER 0x00000004 +#define SA_RIGHT_GROUP_REMOVE_MEMBER 0x00000008 +#define SA_RIGHT_GROUP_GET_MEMBERS 0x00000010 + +#define SA_RIGHT_GROUP_ALL_ACCESS 0x0000001F + +#define GENERIC_RIGHTS_GROUP_ALL_ACCESS \ + (STANDARD_RIGHTS_REQUIRED_ACCESS| \ + SA_RIGHT_GROUP_ALL_ACCESS) /* 0x000f001f */ + +#define GENERIC_RIGHTS_GROUP_READ \ + (STANDARD_RIGHTS_READ_ACCESS | \ + SA_RIGHT_GROUP_GET_MEMBERS) /* 0x00020010 */ + +#define GENERIC_RIGHTS_GROUP_WRITE \ + (STANDARD_RIGHTS_WRITE_ACCESS | \ + SA_RIGHT_GROUP_REMOVE_MEMBER | \ + SA_RIGHT_GROUP_ADD_MEMBER | \ + SA_RIGHT_GROUP_SET_INFO ) /* 0x0002000e */ + +#define GENERIC_RIGHTS_GROUP_EXECUTE \ + (STANDARD_RIGHTS_EXECUTE_ACCESS | \ + SA_RIGHT_GROUP_LOOKUP_INFO) /* 0x00020001 */ + + +/* Alias Object specific access rights */ + +#define SA_RIGHT_ALIAS_ADD_MEMBER 0x00000001 +#define SA_RIGHT_ALIAS_REMOVE_MEMBER 0x00000002 +#define SA_RIGHT_ALIAS_GET_MEMBERS 0x00000004 +#define SA_RIGHT_ALIAS_LOOKUP_INFO 0x00000008 +#define SA_RIGHT_ALIAS_SET_INFO 0x00000010 + +#define SA_RIGHT_ALIAS_ALL_ACCESS 0x0000001F + +#define GENERIC_RIGHTS_ALIAS_ALL_ACCESS \ + (STANDARD_RIGHTS_REQUIRED_ACCESS| \ + SA_RIGHT_ALIAS_ALL_ACCESS) /* 0x000f001f */ + +#define GENERIC_RIGHTS_ALIAS_READ \ + (STANDARD_RIGHTS_READ_ACCESS | \ + SA_RIGHT_ALIAS_GET_MEMBERS ) /* 0x00020004 */ + +#define GENERIC_RIGHTS_ALIAS_WRITE \ + (STANDARD_RIGHTS_WRITE_ACCESS | \ + SA_RIGHT_ALIAS_REMOVE_MEMBER | \ + SA_RIGHT_ALIAS_ADD_MEMBER | \ + SA_RIGHT_ALIAS_SET_INFO ) /* 0x00020013 */ + +#define GENERIC_RIGHTS_ALIAS_EXECUTE \ + (STANDARD_RIGHTS_EXECUTE_ACCESS | \ + SA_RIGHT_ALIAS_LOOKUP_INFO ) /* 0x00020008 */ + #endif /* _RPC_SECDES_H */ diff --git a/source3/include/smb.h b/source3/include/smb.h index 7ce7599239..1694a8b0fc 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -1067,15 +1067,8 @@ struct bitmap { #define WRITE_OWNER_ACCESS (1L<<19) /* 0x00080000 */ #define SYNCHRONIZE_ACCESS (1L<<20) /* 0x00100000 */ -/* Combinations of standard masks. */ -#define STANDARD_RIGHTS_ALL_ACCESS (DELETE_ACCESS|READ_CONTROL_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS) /* 0x001f0000 */ -#define STANDARD_RIGHTS_EXECUTE_ACCESS (READ_CONTROL_ACCESS) /* 0x00020000 */ -#define STANDARD_RIGHTS_READ_ACCESS (READ_CONTROL_ACCESS) /* 0x00200000 */ -#define STANDARD_RIGHTS_REQUIRED_ACCESS (DELETE_ACCESS|READ_CONTROL_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS) /* 0x000f0000 */ -#define STANDARD_RIGHTS_WRITE_ACCESS (READ_CONTROL_ACCESS) /* 0x00020000 */ - -#define SYSTEM_SECURITY_ACCESS (1L<<24) /* 0x01000000 */ -#define MAXIMUM_ALLOWED_ACCESS (1L<<25) /* 0x02000000 */ +#define SYSTEM_SECURITY_ACCESS (1L<<24) /* 0x01000000 */ +#define MAXIMUM_ALLOWED_ACCESS (1L<<25) /* 0x02000000 */ #define GENERIC_ALL_ACCESS (1<<28) /* 0x10000000 */ #define GENERIC_EXECUTE_ACCESS (1<<29) /* 0x20000000 */ #define GENERIC_WRITE_ACCESS (1<<30) /* 0x40000000 */ diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c index 456d7ba9e2..21d7fe8599 100644 --- a/source3/lib/util_seaccess.c +++ b/source3/lib/util_seaccess.c @@ -468,11 +468,11 @@ NTSTATUS samr_make_sam_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size) sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); /*basic access for every one*/ - init_sec_access(&mask, SAMR_EXECUTE | SAMR_READ); + init_sec_access(&mask, GENERIC_RIGHTS_SAM_EXECUTE | GENERIC_RIGHTS_SAM_READ); init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); /*full access for builtin aliases Administrators and Account Operators*/ - init_sec_access(&mask, SAMR_ALL_ACCESS); + init_sec_access(&mask, GENERIC_RIGHTS_SAM_ALL_ACCESS); init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index 1439471f64..c5b4a143ea 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -5,6 +5,7 @@ Copyright (C) Luke Kenneth Caseson Leighton 1998-1999 Copyright (C) Jeremy Allison 1999 Copyright (C) Stefan (metze) Metzmacher 2002 + Copyright (C) Simo Sorce 2002 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -37,16 +38,23 @@ DOM_SID global_sid_NT_Authority; /* NT Authority */ DOM_SID global_sid_System; /* System */ DOM_SID global_sid_NULL; /* NULL sid */ DOM_SID global_sid_Authenticated_Users; /* All authenticated rids */ -DOM_SID global_sid_Network; /* Network rids */ +DOM_SID global_sid_Network; /* Network rids */ -static DOM_SID global_sid_Creator_Owner; /* Creator Owner */ -static DOM_SID global_sid_Creator_Group; /* Creator Group */ -static DOM_SID global_sid_Anonymous; /* Anonymous login */ +static DOM_SID global_sid_Creator_Owner; /* Creator Owner */ +static DOM_SID global_sid_Creator_Group; /* Creator Group */ +static DOM_SID global_sid_Anonymous; /* Anonymous login */ + +DOM_SID global_sid_Builtin; /* Local well-known domain */ +DOM_SID global_sid_Builtin_Administrators; /* Builtin administrators */ +DOM_SID global_sid_Builtin_Users; /* Builtin users */ +DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */ +DOM_SID global_sid_Builtin_Power_Users; /* Builtin power users */ +DOM_SID global_sid_Builtin_Account_Operators; /* Builtin account operators */ +DOM_SID global_sid_Builtin_Server_Operators; /* Builtin server operators */ +DOM_SID global_sid_Builtin_Print_Operators; /* Builtin print operators */ +DOM_SID global_sid_Builtin_Backup_Operators; /* Builtin backup operators */ +DOM_SID global_sid_Builtin_Replicator; /* Builtin replicator */ -DOM_SID global_sid_Builtin; /* Local well-known domain */ -DOM_SID global_sid_Builtin_Administrators; -DOM_SID global_sid_Builtin_Users; -DOM_SID global_sid_Builtin_Guests; /* Builtin guest users */ /* * An NT compatible anonymous token. @@ -112,10 +120,6 @@ void generate_wellknown_sids(void) if (initialised) return; - string_to_sid(&global_sid_Builtin, "S-1-5-32"); - string_to_sid(&global_sid_Builtin_Administrators, "S-1-5-32-544"); - string_to_sid(&global_sid_Builtin_Users, "S-1-5-32-545"); - string_to_sid(&global_sid_Builtin_Guests, "S-1-5-32-546"); string_to_sid(&global_sid_World_Domain, "S-1-1"); string_to_sid(&global_sid_World, "S-1-1-0"); string_to_sid(&global_sid_Creator_Owner_Domain, "S-1-3"); @@ -128,6 +132,18 @@ void generate_wellknown_sids(void) string_to_sid(&global_sid_Network, "S-1-5-2"); string_to_sid(&global_sid_Anonymous, "S-1-5-7"); + /* create well known builtin SIDs */ + string_to_sid(&global_sid_Builtin, "S-1-5-32"); + string_to_sid(&global_sid_Builtin_Administrators, "S-1-5-32-544"); + string_to_sid(&global_sid_Builtin_Users, "S-1-5-32-545"); + string_to_sid(&global_sid_Builtin_Guests, "S-1-5-32-546"); + string_to_sid(&global_sid_Builtin_Power_Users, "S-1-5-32-547"); + string_to_sid(&global_sid_Builtin_Account_Operators, "S-1-5-32-548"); + string_to_sid(&global_sid_Builtin_Server_Operators, "S-1-5-32-549"); + string_to_sid(&global_sid_Builtin_Print_Operators, "S-1-5-32-550"); + string_to_sid(&global_sid_Builtin_Backup_Operators, "S-1-5-32-551"); + string_to_sid(&global_sid_Builtin_Replicator, "S-1-5-32-552"); + /* Create the anon token. */ sid_copy( &anonymous_token.user_sids[0], &global_sid_World); sid_copy( &anonymous_token.user_sids[1], &global_sid_Network); diff --git a/source3/rpc_server/srv_reg_nt.c b/source3/rpc_server/srv_reg_nt.c index f96de7e533..7435bdb6f7 100644 --- a/source3/rpc_server/srv_reg_nt.c +++ b/source3/rpc_server/srv_reg_nt.c @@ -131,7 +131,6 @@ static NTSTATUS open_registry_key(pipes_struct *p, POLICY_HND *hnd, REGISTRY_KEY if ( fetch_reg_keys( regkey, &subkeys ) == -1 ) { /* don't really know what to return here */ - result = NT_STATUS_NO_SUCH_FILE; } else { diff --git a/source3/rpc_server/srv_samr.c b/source3/rpc_server/srv_samr.c index bc3b8970d6..ab3d94cf75 100644 --- a/source3/rpc_server/srv_samr.c +++ b/source3/rpc_server/srv_samr.c @@ -155,7 +155,6 @@ static BOOL api_samr_set_sec_obj(pipes_struct *p) return False; } - return True; } diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 020a3c6aaf..3073ca8f75 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -64,11 +64,11 @@ struct samr_info { TALLOC_CTX *mem_ctx; }; -struct generic_mapping sam_generic_mapping = {SAMR_READ, SAMR_WRITE, SAMR_EXECUTE, SAMR_ALL_ACCESS}; -struct generic_mapping dom_generic_mapping = {DOMAIN_READ, DOMAIN_WRITE, DOMAIN_EXECUTE, DOMAIN_ALL_ACCESS}; -struct generic_mapping usr_generic_mapping = {USER_READ, USER_WRITE, USER_EXECUTE, USER_ALL_ACCESS}; -struct generic_mapping grp_generic_mapping = {GROUP_READ, GROUP_WRITE, GROUP_EXECUTE, GROUP_ALL_ACCESS}; -struct generic_mapping ali_generic_mapping = {ALIAS_READ, ALIAS_WRITE, ALIAS_EXECUTE, ALIAS_ALL_ACCESS}; +struct generic_mapping sam_generic_mapping = {GENERIC_RIGHTS_SAM_READ, GENERIC_RIGHTS_SAM_WRITE, GENERIC_RIGHTS_SAM_EXECUTE, GENERIC_RIGHTS_SAM_ALL_ACCESS}; +struct generic_mapping dom_generic_mapping = {GENERIC_RIGHTS_DOMAIN_READ, GENERIC_RIGHTS_DOMAIN_WRITE, GENERIC_RIGHTS_DOMAIN_EXECUTE, GENERIC_RIGHTS_DOMAIN_ALL_ACCESS}; +struct generic_mapping usr_generic_mapping = {GENERIC_RIGHTS_USER_READ, GENERIC_RIGHTS_USER_WRITE, GENERIC_RIGHTS_USER_EXECUTE, GENERIC_RIGHTS_USER_ALL_ACCESS}; +struct generic_mapping grp_generic_mapping = {GENERIC_RIGHTS_GROUP_READ, GENERIC_RIGHTS_GROUP_WRITE, GENERIC_RIGHTS_GROUP_EXECUTE, GENERIC_RIGHTS_GROUP_ALL_ACCESS}; +struct generic_mapping ali_generic_mapping = {GENERIC_RIGHTS_ALIAS_READ, GENERIC_RIGHTS_ALIAS_WRITE, GENERIC_RIGHTS_ALIAS_EXECUTE, GENERIC_RIGHTS_ALIAS_ALL_ACCESS}; static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size); @@ -375,7 +375,7 @@ NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN if (!find_policy_by_hnd(p, &q_u->pol, (void**)&info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(status = access_check_samr_function(info->acc_granted, SAMR_ACCESS_OPEN_DOMAIN,"_samr_open_domain"))) { + if (!NT_STATUS_IS_OK(status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_OPEN_DOMAIN,"_samr_open_domain"))) { return status; } @@ -454,11 +454,11 @@ static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); /*basic access for every one*/ - init_sec_access(&mask, DOMAIN_EXECUTE | DOMAIN_READ); + init_sec_access(&mask, GENERIC_RIGHTS_DOMAIN_EXECUTE | GENERIC_RIGHTS_DOMAIN_READ); init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); /*full access for builtin aliases Administrators and Account Operators*/ - init_sec_access(&mask, DOMAIN_ALL_ACCESS); + init_sec_access(&mask, GENERIC_RIGHTS_DOMAIN_ALL_ACCESS); init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); @@ -493,16 +493,16 @@ static NTSTATUS samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); /*basic access for every one*/ - init_sec_access(&mask, USER_EXECUTE | USER_READ); + init_sec_access(&mask, GENERIC_RIGHTS_USER_EXECUTE | GENERIC_RIGHTS_USER_READ); init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); /*full access for builtin aliases Administrators and Account Operators*/ - init_sec_access(&mask, USER_ALL_ACCESS); + init_sec_access(&mask, GENERIC_RIGHTS_USER_ALL_ACCESS); init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); /*extended access for the user*/ - init_sec_access(&mask,READ_CONTROL_ACCESS | USER_ACCESS_CHANGE_PASSWORD | USER_ACCESS_SET_LOC_COM); + init_sec_access(&mask,READ_CONTROL_ACCESS | SA_RIGHT_USER_CHANGE_PASSWORD | SA_RIGHT_USER_SET_LOC_COM); init_sec_ace(&ace[3], usr_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 4, ace)) == NULL) @@ -536,11 +536,11 @@ static NTSTATUS samr_make_grp_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); /*basic access for every one*/ - init_sec_access(&mask, GROUP_EXECUTE | GROUP_READ); + init_sec_access(&mask, GENERIC_RIGHTS_GROUP_EXECUTE | GENERIC_RIGHTS_GROUP_READ); init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); /*full access for builtin aliases Administrators and Account Operators*/ - init_sec_access(&mask, GROUP_ALL_ACCESS); + init_sec_access(&mask, GENERIC_RIGHTS_GROUP_ALL_ACCESS); init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); @@ -575,11 +575,11 @@ static NTSTATUS samr_make_ali_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS); /*basic access for every one*/ - init_sec_access(&mask, ALIAS_EXECUTE | ALIAS_READ); + init_sec_access(&mask, GENERIC_RIGHTS_ALIAS_EXECUTE | GENERIC_RIGHTS_ALIAS_READ); init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); /*full access for builtin aliases Administrators and Account Operators*/ - init_sec_access(&mask, ALIAS_ALL_ACCESS); + init_sec_access(&mask, GENERIC_RIGHTS_ALIAS_ALL_ACCESS); init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0); @@ -765,7 +765,7 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u, domain_sid = info->sid; if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, - DOMAIN_ACCESS_ENUM_ACCOUNTS, + SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_users"))) { return r_u->status; } @@ -1058,7 +1058,7 @@ NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAM if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_ENUM_ACCOUNTS, "_samr_enum_dom_groups"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_groups"))) { return r_u->status; } @@ -1097,7 +1097,7 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_ENUM_ACCOUNTS, "_samr_enum_dom_aliases"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_aliases"))) { return r_u->status; } @@ -1320,7 +1320,7 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM /* find the policy handle. open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, ALIAS_ACCESS_LOOKUP_INFO, "_samr_query_aliasinfo"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_LOOKUP_INFO, "_samr_query_aliasinfo"))) { return r_u->status; } @@ -1667,7 +1667,7 @@ NTSTATUS _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN if (!get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_OPEN_ACCOUNT, "_samr_open_user"))) { + if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_user"))) { return nt_status; } @@ -2008,7 +2008,7 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, USER_ACCESS_GET_GROUPS, "_samr_query_usergroups"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_USER_GET_GROUPS, "_samr_query_usergroups"))) { return r_u->status; } @@ -2194,7 +2194,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_CREATE_USER, "_samr_create_user"))) { + if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_USER, "_samr_create_user"))) { return nt_status; } @@ -2496,7 +2496,7 @@ NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_ if (!find_policy_by_hnd(p, &q_u->connect_pol, (void**)&info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SAMR_ACCESS_OPEN_DOMAIN, "_samr_lookup_domain"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_OPEN_DOMAIN, "_samr_lookup_domain"))) { return r_u->status; } @@ -2569,7 +2569,7 @@ NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_EN if (!find_policy_by_hnd(p, &q_u->pol, (void**)&info)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SAMR_ACCESS_ENUM_DOMAINS, "_samr_enum_domains"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_ENUM_DOMAINS, "_samr_enum_domains"))) { return r_u->status; } @@ -2617,7 +2617,7 @@ NTSTATUS _api_samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OP if (!get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_OPEN_ACCOUNT, "_samr_open_alias"))) { + if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_alias"))) { return status; } @@ -2928,7 +2928,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - acc_required = USER_ACCESS_SET_LOC_COM | USER_ACCESS_SET_ATTRIBUTES; /* This is probably wrong */ + acc_required = SA_RIGHT_USER_SET_LOC_COM | SA_RIGHT_USER_SET_ATTRIBUTES; /* This is probably wrong */ if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo"))) { return r_u->status; } @@ -3013,7 +3013,7 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - acc_required = USER_ACCESS_SET_LOC_COM | USER_ACCESS_SET_ATTRIBUTES; /* This is probably wrong */ + acc_required = SA_RIGHT_USER_SET_LOC_COM | SA_RIGHT_USER_SET_ATTRIBUTES; /* This is probably wrong */ if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo2"))) { return r_u->status; } @@ -3088,8 +3088,8 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u, if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; - ntstatus1 = access_check_samr_function(info->acc_granted, DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM, "_samr_query_useraliases"); - ntstatus2 = access_check_samr_function(info->acc_granted, DOMAIN_ACCESS_OPEN_ACCOUNT, "_samr_query_useraliases"); + ntstatus1 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM, "_samr_query_useraliases"); + ntstatus2 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_query_useraliases"); if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) { if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) && @@ -3168,7 +3168,7 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ return NT_STATUS_INVALID_HANDLE; if (!NT_STATUS_IS_OK(r_u->status = - access_check_samr_function(acc_granted, ALIAS_ACCESS_GET_MEMBERS, "_samr_query_aliasmem"))) { + access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_GET_MEMBERS, "_samr_query_aliasmem"))) { return r_u->status; } @@ -3269,7 +3269,7 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, GROUP_ACCESS_GET_MEMBERS, "_samr_query_groupmem"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_GET_MEMBERS, "_samr_query_groupmem"))) { return r_u->status; } @@ -3361,7 +3361,7 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, ALIAS_ACCESS_ADD_MEMBER, "_samr_add_aliasmem"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_ADD_MEMBER, "_samr_add_aliasmem"))) { return r_u->status; } @@ -3449,7 +3449,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, ALIAS_ACCESS_REMOVE_MEMBER, "_samr_del_aliasmem"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_REMOVE_MEMBER, "_samr_del_aliasmem"))) { return r_u->status; } @@ -3520,7 +3520,7 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, GROUP_ACCESS_ADD_MEMBER, "_samr_add_groupmem"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_ADD_MEMBER, "_samr_add_groupmem"))) { return r_u->status; } @@ -3612,7 +3612,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, GROUP_ACCESS_REMOVE_MEMBER, "_samr_del_groupmem"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_REMOVE_MEMBER, "_samr_del_groupmem"))) { return r_u->status; } @@ -3692,7 +3692,7 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &user_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DELETE_ACCESS, "_samr_delete_dom_user"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_user"))) { return r_u->status; } @@ -3751,7 +3751,7 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DELETE_ACCESS, "_samr_delete_dom_group"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_group"))) { return r_u->status; } @@ -3813,7 +3813,7 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DELETE_ACCESS, "_samr_delete_dom_alias"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_alias"))) { return r_u->status; } @@ -3876,7 +3876,7 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_CREATE_GROUP, "_samr_create_dom_group"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_GROUP, "_samr_create_dom_group"))) { return r_u->status; } @@ -3941,7 +3941,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_CREATE_ALIAS, "_samr_create_alias"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_ALIAS, "_samr_create_alias"))) { return r_u->status; } @@ -4003,7 +4003,7 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, GROUP_ACCESS_LOOKUP_INFO, "_samr_query_groupinfo"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_LOOKUP_INFO, "_samr_query_groupinfo"))) { return r_u->status; } @@ -4055,7 +4055,7 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, GROUP_ACCESS_SET_INFO, "_samr_set_groupinfo"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_SET_INFO, "_samr_set_groupinfo"))) { return r_u->status; } @@ -4102,7 +4102,7 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, ALIAS_ACCESS_SET_INFO, "_samr_set_aliasinfo"))) { + if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_SET_INFO, "_samr_set_aliasinfo"))) { return r_u->status; } @@ -4171,7 +4171,7 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; - if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_OPEN_ACCOUNT, "_samr_open_group"))) { + if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_group"))) { return status; } diff --git a/source3/sam/interface.c b/source3/sam/interface.c index 4f5e565d2e..d08df42122 100644 --- a/source3/sam/interface.c +++ b/source3/sam/interface.c @@ -639,7 +639,7 @@ NTSTATUS sam_enum_domains(const SAM_CONTEXT *context, const NT_USER_TOKEN *acces return nt_status; } - if (!se_access_check(sd, access_token, SAMR_ACCESS_ENUM_DOMAINS, &acc_granted, &nt_status)) { + if (!se_access_check(sd, access_token, SA_RIGHT_SAM_ENUM_DOMAINS, &acc_granted, &nt_status)) { DEBUG(3,("sam_enum_domains: ACCESS DENIED\n")); return nt_status; } @@ -699,7 +699,7 @@ NTSTATUS sam_lookup_domain(const SAM_CONTEXT *context, const NT_USER_TOKEN *acce return nt_status; } - if (!se_access_check(sd, access_token, SAMR_ACCESS_OPEN_DOMAIN, &acc_granted, &nt_status)) { + if (!se_access_check(sd, access_token, SA_RIGHT_SAM_OPEN_DOMAIN, &acc_granted, &nt_status)) { DEBUG(3,("sam_lookup_domain: ACCESS DENIED\n")); return nt_status; } diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index 06538797e2..ae1e8dbbac 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -2014,7 +2014,7 @@ static int rpc_trustdom_list(int argc, const char **argv) }; /* SamrConnect */ - nt_status = cli_samr_connect(cli, mem_ctx, SAMR_ACCESS_OPEN_DOMAIN, + nt_status = cli_samr_connect(cli, mem_ctx, SA_RIGHT_SAM_OPEN_DOMAIN, &connect_hnd); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Couldn't open SAMR policy handle. Error was %s\n", @@ -2025,7 +2025,7 @@ static int rpc_trustdom_list(int argc, const char **argv) /* SamrOpenDomain - we have to open domain policy handle in order to be able to enumerate accounts*/ nt_status = cli_samr_open_domain(cli, mem_ctx, &connect_hnd, - DOMAIN_ACCESS_ENUM_ACCOUNTS, + SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, &queried_dom_sid, &domain_hnd); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Couldn't open domain object. Error was %s\n", |